What is Phishing? Complete Guide to Phishing Attacks

Definition

Phishing is a type of social engineering attack where criminals attempt to trick victims into revealing sensitive information—such as login credentials, credit card numbers, or personal data—by impersonating a trusted entity through electronic communication.

The term "phishing" is a play on "fishing," reflecting how attackers cast wide nets using lures (deceptive messages) to catch victims.

How Phishing Works

A typical phishing attack follows this pattern:

Bait creation – Attacker crafts a convincing message impersonating a trusted brand
Distribution – Message sent via email, SMS, social media, or other channels
Deception – Victim clicks a link leading to a fake website or opens a malicious attachment
Harvesting – Victim enters credentials or data into the fake site
Exploitation – Attacker uses stolen credentials for account takeover, fraud, or further attacks

Types of Phishing

Email Phishing

The most common form—mass emails impersonating banks, services, or employers.

Spear Phishing

Targeted attacks against specific individuals using personalized information.

Smishing

Phishing via SMS text messages, often claiming urgent account or delivery issues.

Vishing

Voice phishing through phone calls impersonating support or institutions.

Clone Phishing

Legitimate emails copied and resent with malicious links replacing originals.

Why Phishing Works

Phishing exploits human psychology:

Authority – Messages appear from trusted sources
Urgency – Time pressure prevents careful thinking
Fear – Threats of account suspension or loss
Curiosity – Intriguing subject lines or offers
Familiarity – Use of real logos, templates, and names

Phishing Statistics

Over 90% of data breaches involve phishing
36% of breaches involve phishing
Average cost of a phishing attack: $4.76 million
Phishing sites live an average of 24 hours

Tools & Resources

Need Protection?

Learn how our phishing detection service can protect your organization and customers.